Skip to content

fix out-of-bounds read parsing AVC SPS in ParseSPS#3371

Merged
chenBright merged 1 commit into
apache:masterfrom
ubeddulla:avc-sps-oob-read
Jul 4, 2026
Merged

fix out-of-bounds read parsing AVC SPS in ParseSPS#3371
chenBright merged 1 commit into
apache:masterfrom
ubeddulla:avc-sps-oob-read

Conversation

@ubeddulla

Copy link
Copy Markdown
Contributor

What problem does this PR solve?

Issue Number: N/A

Problem Summary:

AVCDecoderConfigurationRecord::Create copies the sequence header into a buffer that is not NUL-terminated (DEFINE_SMALL_ARRAY), then calls ParseSPS(buf.data() + 2, sps_length). ParseSPS takes a butil::StringPiece, so the bare const char* is turned into one through the implicit StringPiece(const char*) constructor, which runs strlen. When a publisher sends an AVC sequence header whose SPS body has no zero byte, that strlen walks off the end of the copied record and reads out of bounds. The path is reachable from untrusted RTMP video input.

What is changed and the side effects?

Changed:

Pass buf.substr(2, sps_length) so ParseSPS receives an explicitly sized view and no strlen runs. It is the same idiom already used a few lines below when pushing into sps_list. I also added a regression test that feeds a zero-free SPS body, which trips ASan on the old code and stays clean after the fix.

Side effects:

  • Performance effects: none.

  • Breaking backward compatibility: none. The reads inside ParseSPS were already bounded by sps_length, so valid sequence headers parse exactly as before.


Check List:

@wasphin

wasphin commented Jul 4, 2026

Copy link
Copy Markdown
Member

LGTM

@chenBright chenBright left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@chenBright chenBright merged commit 8d3ebb2 into apache:master Jul 4, 2026
15 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants